MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 430032941fdecfc49abdef2ede2ffe04c66b99df498a2739005c726cea9ea183. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 430032941fdecfc49abdef2ede2ffe04c66b99df498a2739005c726cea9ea183
SHA3-384 hash: 0a64a6e307ea8575ca4bd97a3906309678fa5f8b72ec65630060120e0c03ed0db45b9ef1ee8c7a88514944e60f2851cd
SHA1 hash: 900a82d2498b1895abe71fb64ee3387e87aa7d8f
MD5 hash: 9406f9f170c41fa53ec65ec47e58405a
humanhash: dakota-victor-early-berlin
File name:Audacity.exe.bin
Download: download sample
File size:1'043'992 bytes
First seen:2020-09-29 15:52:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf6171d5e900bf93e668170d1a189f34 (4 x CryptBot, 1 x Amadey, 1 x RedLineStealer)
ssdeep 24576:dgbWcQIUoDuyB0u0zYvT5ZaIn6zwL46SrTrlB0LntUNu3mW7dQVq4GIpU6L:dIXQD8xvT5Za26zOSrTWd3mWJQVh31L
Threatray 17 similar samples on MalwareBazaar
TLSH F025231177E6C675F3E266726BD8F7725DB8F620239688CB17940804AF97BD6CA3C009
Reporter Aura
Tags:taurus


Avatar
SecurityAura
Part of a campaign that impersonalised the Audacity website at audacity[.]cloud. The Windows download link pointed to:

makeref[.]com/Audacity.zip

The .exe is inside the .zip. Ends up communicating with:

http://gtransmissiongroup.com/info.php

See @Arkbird_SOLG tweet and write-up:

https://twitter.com/Arkbird_SOLG/status/1303072629809647617

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66815/
Detection(s):
PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/477616
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Delayed program exit found
Drops PE files with a suspicious file extension
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Uses ipconfig to lookup or modify the Windows network settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 291257 Sample: Audacity.exe.bin Startdate: 29/09/2020 Architecture: WINDOWS Score: 100 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Sigma detected: Drops script at startup location 2->71 73 4 other signatures 2->73 10 Audacity.exe.exe 7 2->10         started        13 wscript.exe 2->13         started        process3 signatures4 81 Contains functionality to register a low level keyboard hook 10->81 15 cmd.exe 1 10->15         started        17 cmd.exe 1 10->17         started        process5 signatures6 20 cmd.exe 2 15->20         started        24 conhost.exe 15->24         started        65 Drops PE files with a suspicious file extension 17->65 26 conhost.exe 17->26         started        process7 file8 47 C:\Users\user\AppData\Local\...\lsass.com, PE32 20->47 dropped 75 Uses ping.exe to sleep 20->75 28 lsass.com 20->28         started        31 PING.EXE 1 20->31         started        34 PING.EXE 1 20->34         started        36 certutil.exe 2 20->36         started        signatures9 process10 dnsIp11 83 Drops PE files with a suspicious file extension 28->83 38 lsass.com 7 28->38         started        59 127.0.0.1 unknown unknown 31->59 61 192.168.2.1 unknown unknown 31->61 63 JkptKA.GGUP 34->63 signatures12 process13 dnsIp14 55 THSeBLmuFEvRXsuG.THSeBLmuFEvRXsuG 38->55 49 C:\Users\user\AppData\Roaming\...\frokles.com, PE32 38->49 dropped 51 C:\Users\user\AppData\Local\...\ipconfig.exe, PE32 38->51 dropped 53 C:\Users\user\AppData\Roaming\...\frokles.url, MS 38->53 dropped 77 Writes to foreign memory regions 38->77 79 Maps a DLL or memory area into another process 38->79 43 ipconfig.exe 12 38->43         started        file15 signatures16 process17 dnsIp18 57 gtransmissiongroup.com 5.61.49.186, 49715, 49730, 49734 SCALAXY-ASNL United Kingdom 43->57 85 Delayed program exit found 43->85 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/430032941fdecfc49abdef2ede2ffe04c66b99df498a2739005c726cea9ea183/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2020-09-26 07:00:55 UTC
AV detection:
13 of 48 (27.08%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
eb7f8c540e1fec50dbf69d1118d556130a32c7f08806c9cf0b12a63eaa2ac735
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200929-z2j7q6qas2/
Behaviour
Gathers network information
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
430032941fdecfc49abdef2ede2ffe04c66b99df498a2739005c726cea9ea183
MD5 hash:
9406f9f170c41fa53ec65ec47e58405a
SHA1 hash:
900a82d2498b1895abe71fb64ee3387e87aa7d8f
Link:
https://www.unpac.me/results/efeb10c3-ca08-4c76-9271-ef481ac2356d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
HiddenRun
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/430032941fdecfc49abdef2ede2ffe04c66b99df498a2739005c726cea9ea183

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 430032941fdecfc49abdef2ede2ffe04c66b99df498a2739005c726cea9ea183

(this sample)

anyrun
any.run
https://app.any.run/tasks/df5a51ae-3959-42a0-b568-58943573fa50
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/66815/

Comments